Joint defence method and apparatus for network security, and server and storage medium

ABSTRACT

A method for network security joint defense includes: obtaining security log information of security devices, wherein the security log information includes intrusion event information violating an own defense policy of the security device obtained by the security device in a network/system environment; converting log formats of the multiple obtained security log information into a preset log format, wherein the preset log format is a log format that is identifiable by the plurality of the security devices; classifying and summarizing the intrusion event information included in the converted security log information according to preset intrusion event types; obtaining a security device identification corresponding to each of preset intrusion event types; and pushing the intrusion event information corresponding to each preset intrusion event type to the security device corresponding to the security device identification, so that the security device adjusts the own defense policy thereof according to the pushed intrusion event information.

This application claims priority of Chinese patent application No.2016111560167, entitled “METHOD AND APPARATUS FOR NETWORK SECURITY JOINTDEFENSE” filed on Dec. 14, 2016, and the content of which isincorporated herein by reference in its entirety.

TECHNICAL FIELD

The present invention relates to the field of computer technology, andparticularly relates to a method, an apparatus, a server and a storagemedium for network security joint defense.

BACKGROUND

With the rapid development of Internet technology, enterpriseoperations, social activities and people's daily lives are inseparablefrom the Internet. To ensure the orderly operation of the aboveactivities, it is necessary to strengthen the construction andmaintenance of network security systems.

Traditional network security defense generally rely on existing securitydevices, such as vulnerability scanning devices, firewalls, andintrusion protection devices, etc. These security devices have limitedsecurity defense capabilities. Each security device has its ownshortcomings that cannot be avoided, and the effect of security defenseis unsatisfactory. Thus, how to achieve more satisfactory networksecurity defense by using the traditional security devices becomes anurgent problem to be solved.

SUMMARY OF THE INVENTION

A method, an apparatus, a server and a storage medium for networksecurity joint defense are provided according to various embodimentsdisclosed in the present application.

A method for network security joint defense includes:

obtaining security log information of a plurality of security devices,wherein the security log information includes intrusion eventinformation violating an own defense policy of the security deviceobtained by the security device in a network/system environment;

classifying and summarizing the intrusion event information included inthe security log information according to preset intrusion event types;

obtaining a corresponding relationship between each preset intrusionevent type and a security device identification; and

pushing the intrusion event information which is summarized according tothe intrusion event types to the security device directed to by thesecurity device identification having a corresponding relationship, sothat the security device adjusts its own defense policy according to thepushed intrusion event information.

A method for network security joint defense includes:

detecting network/system state information and user behavior informationin a network/system environment according to an own defense policy togenerate security log information;

uploading the generated security log information to a security logsharing platform, wherein the security log sharing platform isconfigured to classify and summarize the uploaded security loginformation, to generate a plurality of event types of intrusion eventinformation, and to push the plurality of event types of intrusion eventinformation according to a preset rule;

receiving at least one of the event types of intrusion event informationwhich is pushed by the security log sharing platform; and

generating a joint defense policy by taking the received intrusion eventinformation as clue information.

An apparatus for network security joint defense includes:

a security log information obtaining module, configured to obtainsecurity log information of a plurality of security devices, wherein thesecurity log information includes intrusion event information violatingan own defense policy of the security device, obtained by the securitydevices in a network/system environment;

a log information classifying module, configured to classify andsummarize the intrusion event information included in the security loginformation according to preset intrusion event types;

an associated information obtaining module, configured to obtain acorresponding relationship between each preset intrusion event type anda security device identification; and

a log information pushing module, configured to push the intrusion eventinformation which is summarized according to the intrusion event typesto the security device directed to by the security device identificationhaving a corresponding relationship, so that the security device adjustsits own defense policy according to the pushed intrusion eventinformation.

An apparatus for network security joint defense includes:

a security log information generating module, configured to detectnetwork/system state information and user behavior information in anetwork/system environment according to an own defense policy togenerate security log information;

a security information sharing module, configured to upload thegenerated security log information to a security log sharing platform,wherein the security log sharing platform is configured to classify andsummarize the uploaded security log information to generate a pluralityof event types of intrusion event information, and to push the pluralityof event types of intrusion event information according to a presetrule;

an event information receiving module, configured to receive at leastone of the event types of intrusion event information which is pushed bythe security log sharing platform; and

a joint policy generating module, configured to generate a joint defensepolicy by taking the received intrusion event information as clueinformation.

A server includes a memory and a processor, and the memory storescomputer executable instructions, which, when executed by the processor,cause the processor to perform following steps, including:

obtaining security log information of a plurality of security devices,wherein the security log information includes intrusion eventinformation violating an own defense policy of the security deviceobtained by the security device in a network/system environment;

classifying and summarizing the intrusion event information included inthe security log information according to preset intrusion event types;

obtaining a corresponding relationship between each preset intrusionevent type and a security device identification; and

pushing the intrusion event information which is summarized according tothe intrusion event types to the security device directed to by thesecurity device identification having a corresponding relationship, sothat the security device adjusts its own defense policy according to thepushed intrusion event information.

One or more non-volatile readable storage medium storing computerexecutable instructions, which, when executed by one or more processors,cause the one or more processors to perform following steps, including:

obtaining security log information of a plurality of security devices,wherein the security log information includes intrusion eventinformation violating an own defense policy of the security deviceobtained by the security device in a network/system environment;

classifying and summarizing the intrusion event information included inthe security log information according to preset intrusion event types;

obtaining a corresponding relationship between each preset intrusionevent type and a security device identification; and

pushing the intrusion event information which is summarized according tothe intrusion event types to the security device directed to by thesecurity device identification having a corresponding relationship, sothat the security device adjusts its own defense policy according to thepushed intrusion event information.

One or more non-volatile readable storage medium storing computerexecutable instructions, which, when executed by one or more processors,cause the one or more processors to perform following steps, including:

detecting network/system state information and user behavior informationin a network/system environment according to an own defense policy togenerate security log information;

uploading the generated security log information to a security logsharing platform, wherein the security log sharing platform isconfigured to classify and summarize the uploaded security loginformation, to generate a plurality of event types of intrusion eventinformation, and to push the plurality of event types of intrusion eventinformation according to a preset rule;

receiving at least one of the event types of intrusion event informationwhich is pushed by the security log sharing platform; and

generating a joint defense policy by taking the received intrusion eventinformation as clue information.

Details of one or more embodiments of the present application are setforth in accompanying drawings and description below. Other features,purposes, and advantages will become apparent upon the description, theaccompanying drawings and claims.

BRIEF DESCRIPTION OF DRAWINGS

To illustrate technical solutions according to the embodiments of thepresent application or in the prior art more clearly, the accompanyingdrawings for the description of the embodiments or the prior art will bebriefly introduced below. Obviously, the accompanying drawings in thefollowing description are only some embodiments of the presentapplication, and ordinary personals skilled in the art can also deriveother drawings according to these accompanying drawings without anycreative effort.

FIG. 1 is an application environment diagram of a method for networksecurity joint defense in one embodiment.

FIG. 2 is a flow diagram of a method for network security joint defensein one embodiment.

FIG. 3 is a flow diagram of a method for network security joint defensein another embodiment.

FIG. 4 is a structural block diagram of an apparatus for networksecurity joint defense in one embodiment.

FIG. 5 is a structural block diagram of an apparatus for networksecurity joint defense in another embodiment.

FIG. 6 is an internal structural schematic diagram of a server in oneembodiment.

FIG. 7 is an internal structural schematic diagram of a security devicein one embodiment.

DETAILED DESCRIPTION OF EMBODIMENTS

The present application will be further described in detail below withreference to the accompanying drawings and embodiments, so that thepurposes, technical solutions and advantages of the present applicationwill become clearer. It should be understood that the specificembodiments described herein are merely used to illustrate the presentapplication but not intended to limit the present application.

As shown in FIG. 1, in one embodiment, an application environmentdiagram of a method for network security joint defense is provided. Theapplication environment diagram includes a plurality of security devices110 and a server capable of performing two-way communication with thesecurity device 110. The security devices 110 may be a firewall securitydevice, a hardware security device installed with an IDS (IntrusionDetection System) or an IPS (Intrusion Prevention System), avulnerability scanning security device, and the like, which can performsecurity detection and protection for a system and network. The securitydevices can monitor user behavior or a system activity from a computernetwork or a computer server, analyze monitoring information under arule of its own defense policy to obtain a security log recorded anintrusion event (including an intrusion detection event, an intrusionprocessing event, etc.) violating its own defense policy.

Each security device uploads the obtained security log information tothe server; the server summarizes and analyzes a plurality of thesecurity logs, and returns intrusion event information belonging to onetype to a corresponding security device to implement information sharingbetween the plurality of the security devices. The security devices willdetect, locate and process the intrusion event more timely andaccurately by using more abundant intrusion event information.

FIG. 2 is a flow diagram of a method for network security joint defensein one embodiment of the present application. It should be understoodthat, although each step in the flow diagram of FIG. 2 is sequentiallyshown as indications of arrows, these steps are not necessarilyperformed sequentially according to an order indicated by the arrows.Except as explicitly stated herein, these steps are not performed with astrict ordering limitation, and may be performed in other orders.Moreover, at least a part of the steps in FIG. 2 may include a pluralityof sub-steps or stages, which are not necessarily performedsequentially, but may be in turns or alternately performed with at leasta part of other steps or sub-steps or stages of other steps.

Referring to FIG. 2, a method for network security joint defensespecifically includes the following steps:

Step S202: obtaining security log information of a plurality of securitydevices, wherein the security log information includes intrusion eventinformation violating an own defense policy of the security deviceobtained by the security device in a network/system environment.

The security device refers to a device that can detect a behaviorviolating a security policy and an encountered assault sign from anetwork or a system in a network environment. The security device mayinclude a firewall, an IDS (Intrusion Detection System), an IPS(Intrusion Prevention System), and a vulnerability scanning, etc. Thefirewall is installed at a boundary of different networks and is theonly channel between networks or security domains with differentsecurity levels. Only the communication that is explicitly authorized bya firewall policy can pass through the channel. By collecting andanalyzing the system, the network and the data, as well as the state andbehavior of the user activity (such information is typically obtainedfrom log files of the system and the network), the IDS identifies anattacking behavior, detects an abnormal condition, and carries out anabnormal warning. The IPS performs simple and quick attack detection andprocesses the detected attack in real time. The vulnerability scanningremotely detects vulnerability information existing on a target networkor on a local host over the network.

The security log information includes the intrusion event informationviolating a preset defense policy of the security device in thenetwork/system environment obtained by the security device through itsown functions such as detection and defense. For example, for thefirewall, the security information may be information of a detectedaccess event which is denied in a firewall security policy; for thevulnerability scanning, the security log information may be thevulnerability information detected in the network and systemenvironment; for the IDS and the IPS, the security log information maybe an identified attack event or an abnormal event, and the security loginformation of the IPS also includes event processing information suchas information of terminating a process, cutting off a connection andchanging a file attribute, etc. The security log information ofdifferent security devices has different contents and log formats.

Step S204: converting log format of the multiple obtained security loginformation into a preset log format, wherein the preset log format is alog format that is identifiable by the plurality of the securitydevices.

The log formats of different security devices may be different. Beforeperforming a statistic analysis for the security log information, it isnecessary to unify the formats of the obtained security log information.The obtained different security log information is converted into thepreset log format, and the preset log format is ensured to be identifiedby these security devices.

The format of the security log includes expressions and field formats.The expressions include a text expression, a binary expression, andother computer language expressions. Unifying the log format means thatthe expressions and the field formats are both unified.

In one embodiment, the security device may encrypt the security loginformation to be uploaded to the server; the server stores secret keyinformation in advance, decrypts the encrypted security log informationaccording to the secret key information, and then performs step S204. Inanother embodiment, before pushing the classified and summarizedintrusion event information to the security device, the server mayencrypt the pushed information to prevent the information from beingchanged during a network transmission process, and to avoid that thesecurity detection and the security defense cannot be accuratelyperformed by the security device.

Step S206: classifying and summarizing the intrusion event informationincluded in the converted security log information according to presetintrusion event types.

The server presets the type of the intrusion event, such as a fuzzyintrusion event, an intrusion event that has detected an attack source,vulnerability information, and a processed intrusion event. Systemvulnerabilities can also be classified into the fuzzy intrusion event.In another embodiment, the type of the intrusion event can also befurther refined.

Step S208: obtaining a corresponding relationship between each presetintrusion event type and a security device identification.

The security device is herein configured to include the vulnerabilityscanning security device, the IDS, the IPS, and the firewall. The serverassigns a unique security device identification to each of the abovesecurity devices, and the server establishes the correspondingrelationship between the classified intrusion event type and thesecurity device identification in advance.

In one embodiment, the fuzzy intrusion event may be bound to the IDSand/or IPS security device identification so that the IDS and/or IPSsecurity devices can further detect the intrusion event based on thefuzzy intrusion event information to locate the attack type and theattack source; the intrusion event in which the attack source isdetected may be bound to the IPS security device identification so thatthe IPS carries out an attack processing response in time according tothe explicit attack source information; and the intrusion event in whichthe attack source is detected may also be bound to the firewall securitydevice identification so that the firewall updates a security defensepolicy and blocks a link corresponding to the intrusion event.

Step S210: pushing the intrusion event information which is summarizedaccording to the intrusion event types to the security device directedto by the security device identification having a correspondingrelationship, so that the security device adjusts its own defense policyaccording to the pushed intrusion event information.

According to a binding relationship between the intrusion event typesand the security device, the intrusion event information correspondingto the relative intrusion event type is pushed to the security devicewith the binding relationship, so that the security device obtains moreclues and adjusts the security defense policy according to the clues todetect and process the intrusion event more accurately and timely.

In this embodiment, a plurality of security devices upload the securitylog information detected by themselves during performing the securitydefense to a sharing platform. The sharing platform performs areadability format conversion and an overall analysis and classificationon all security logs, and shares the statistic and analyzed security loginformation according to a set information sharing rule to the securitydevice that can better realize the value of the security loginformation. The security device dynamically adjusts the securitydefense policy by taking the security log information pushed by thesharing platform as clue information, and implements quick and accuratelocating of the attack event, thereby implementing a quick and effectiveprocessing of the attack event. The above multi-security deviceinformation sharing and joint defense greatly improve the accuracy andtimeliness of the network security defense, and achieve better effect ofsecurity defense.

In one embodiment, the security device includes a fuzzy detection deviceand an attack detection device. The fuzzy detection device is configuredto detect a fuzzy intrusion event. The attack detection device isconfigured to detect attack source information. The detected fuzzyintrusion event is associated with an attack detection deviceidentification.

Specifically, both the fuzzy detection device and the attack detectiondevice can detect the intrusion event information in the network and thesystem. The fuzzy intrusion event information is one of the intrusionevent types preset by the server. Further, the fuzzy intrusion eventinformation is a fuzzy intrusion event in which the attack informationis inexplicit, that is, the fuzzy intrusion event is the intrusion eventinformation that can be utilized by other security detection devices togenerate explicit attack information.

Step S210: the pushing the intrusion event information which issummarized according to the intrusion event types to the security devicedirected to by the security device identification having a correspondingrelationship, so that the security device adjusts its own defense policyaccording to the pushed intrusion event information includes:

pushing fuzzy intrusion event information to the attack detectiondevice, so that the attack detection device generates an attack sourcejoint detection policy according to the fuzzy intrusion eventinformation, and the attack detection device detects the attack sourceinformation according to the attack source joint detection policy.

The server pushes the fuzzy intrusion event information detected by thefuzzy detection device to the attack detection device, and the attackdetection device adjusts its own defense policy or generates a newdetection policy according to the fuzzy intrusion event information. Theupdated or newly generated detection policy is a joint detection policy.The attack detection device performs further detection on the intrusionevent information according to the generated joint detection policy toobtain the attack source information.

It should be illustrated that, after the joint detection policy isgenerated in this embodiment, the joint detection policy will be addedto the security device to enhance the ability to detect the intrusionevent of the security device, so that the security device can detectmore intrusion events during the subsequent detection work, and generatea new joint detection policy. In this way, the detection performance ofthe security device is continuously enhanced.

For example, the fuzzy detection device is the vulnerability scanningsecurity device, the fuzzy intrusion event information is vulnerabilityinformation in a system/application/network scanned by the vulnerabilityscanning security device, and the attack detection device is the IDS.The IDS generates the attack detection source policy for thevulnerability information, performs the attack source detection policy,and detects the attack source information that attacks thevulnerability. The attack source information of the vulnerability isdetected by the IDS.

In this embodiment, the attack source information obtained by the attackdetection device is substantially more detailed and explicit intrusionevent information obtained by the joint cooperation between the fuzzydetection device and the attack detection device. The security devicescooperate mutually due to the sharing of the security deviceinformation, so that attack event can be detected more quickly and moreaccurately.

In one embodiment, the security device further includes an attackdefense device, and the attack source information is associated with anattack defense device identification.

Specifically, the attack defense device refers to the security devicecapable of performing the attack event processing (such as terminating aprocess, cutting off a connection, changing a file attribute, and accessrestriction) to eliminate the harm of the attack event or reduce theimpact of the attack event. In one embodiment, the attack defense devicemay be the IPS and the firewall, etc.

After the step of pushing fuzzy intrusion event information to theattack detection device, so that the attack detection device generatesan attack source joint detection policy according to the fuzzy intrusionevent information, and the attack detection device detects the attacksource information according to the attack source joint detectionpolicy, the method further includes:

pushing the attack source information to the attack defense device, sothat the attack defense device generates a joint defense policyaccording to the attack source information. The server pushes to theattack defense device the attack source information that is obtained bythe analysis of the joint cooperation and uploaded by the attackdetection device, and the attack defense device generates a securitydefense policy for the attack source information. The security defensepolicy is substantially the joint defense policy generated according tothe intrusion event information of a plurality of security devices, andthe attack defense device performs more accurate and timely attackprocessing and defense by implementing the generated joint defensepolicy.

In one embodiment, as shown in FIG. 3, a method for network securityjoint defense is also provided. The method is illustrated by beingapplied to one of the security devices 110 as shown in FIG. 1, andspecifically includes the following steps:

Step S302: detecting network/system state information and user behaviorinformation in a network/system environment according to an own defensepolicy to generate security log information.

The security device refers to a device that can detect a behaviorviolating a security policy and an encountered assault sign from anetwork or a system in a network environment. The security device mayinclude a firewall, an IDS (Intrusion Detection System), an IPS(Intrusion Prevention System), and a vulnerability scanning, etc.

The security device is configured with its own intrusion defense policy.It performs intrusion detection by implementing its own intrusiondefense policy, generates intrusion event information that violates itsown defense policy, and records the generated intrusion eventinformation in a form of a security log.

Step S304: uploading the generated security log information to asecurity log sharing platform, wherein the security log sharing platformis configured to classify and summarize the uploaded security loginformation, to generate a plurality of event types of intrusion eventinformation, and to push the plurality of event types of intrusion eventinformation according to a preset rule.

Specifically, the security device uploads the generated security loginformation to the server at every set time, or the server automaticallycaptures the security log information from the security device at everyset time.

Step S306: receiving at least one of the event types of intrusion eventinformation which is pushed by the security log sharing platform.

Step S308: generating a joint defense policy by taking the receivedintrusion event information as clue information.

In an embodiment, the log format of the obtained security log of eachsecurity device is converted by the server for consistency, and theconverted log format is ensured to be identified by each securitydevice. Further, the server performs a statistic analysis andclassification on the security log information with a unitized format,and pushes the security log information (intrusion event information) ofa set type to the set security device to realize fully sharing of theinformation. Each security device can perform mining, locating,defending, and disposing of the attacks more quickly and accuratelyaccording to the shared intrusion event information.

In this embodiment, the security device can obtain the security loginformation of other security devices through the sharing platform, andfully utilize the shared security log information for optimal adjustmentof the security policy, so that the attack detection processing is moreefficient and accurate, and the security defense capability of thesecurity device is greatly improved.

In one embodiment, the generating a joint defense policy by taking thereceived intrusion event information as clue information in step S306includes: associating the security log information generated by thesecurity device itself with the received intrusion event information togenerate joint security log information; and generating a joint defensepolicy according to the joint security log information, and implementingthe joint defense policy to perform intrusion event detection andintrusion event defense.

Specifically, the security device can associate the intrusion eventsaccording to a time attribute in the security log information. Inanother embodiment, the joint security log information can be obtainedby associating the events according to an address feature (such as IP)and a port information attribute.

The security device can generate the joint defense policy for the jointsecurity log information, so that the attack detection processing ismore efficient and accurate, and the security defense capability of thesecurity device is greatly improved.

In one embodiment, as shown in FIG. 4, an apparatus for network securityjoint defense is provided, and the apparatus includes:

a security log information obtaining module 402, configured to obtainsecurity log information of a plurality of security devices, wherein thesecurity log information includes intrusion event information violatingan own defense policy of the security device, obtained by the securitydevices in a network/system environment;

a format converting module 404, configured to convert log formats of themultiple obtained security log information into a preset log format,wherein the preset log format is a log format that is identifiable bythe plurality of the security devices;

a log information classifying module 406, configured to classify andsummarize the intrusion event information included in the convertedsecurity log information according to preset intrusion event type;

an associated information obtaining module 408, configured to obtain acorresponding relationship between each preset intrusion event type anda security device identification;

a log information pushing module 410, configured to push the intrusionevent information which is summarized according to the intrusion eventtypes to the security device directed to by the security deviceidentification having a corresponding relationship, so that the securitydevice adjusts its own defense policy according to the pushed intrusionevent information.

In one embodiment, the security device includes a fuzzy detection deviceand an attack detection device, the fuzzy detection device is configuredto detect a fuzzy intrusion event, the attack detection device isconfigured to detect attack source information, and the detected fuzzyintrusion event is associated with an attack detection deviceidentification.

The log information pushing module 410 is further configured to pushfuzzy intrusion event information to the attack detection device, sothat the attack detection device generates an attack source jointdetection policy according to the fuzzy intrusion event information, andthe attack detection device detects the attack source informationaccording to the attack source joint detection policy.

In one embodiment, the security device further comprises an attackdefense device, and the attack source information is associated with anattack defense device identification.

The log information pushing module 410 is further configured to push theattack source information to the attack defense device, so that theattack defense device generates a joint defense policy according to theattack source information.

In one embodiment, as shown in FIG. 5, an apparatus for network securityjoint defense is provided, and the apparatus includes:

a security log information generating module 502, configured to detectnetwork/system state information and user behavior information in anetwork/system environment according to an own defense policy togenerate security log information;

a security information sharing module 504, configured to upload thegenerated security log information to a security log sharing platform,wherein the security log sharing platform is configured to classify andsummarize the uploaded security log information to generate a pluralityof event types of intrusion event information, and to push the pluralityof event types of intrusion event information according to a presetrule;

an event information receiving module 506, configured to receive atleast one of the event types of intrusion event information which ispushed by the security log sharing platform;

a joint policy generating module 508, configured to generate a jointdefense policy by taking the received intrusion event information asclue information.

In one embodiment, the joint policy generating module 508 is furtherconfigured to associate the security log information generated by thesecurity device itself with the received intrusion event information togenerate joint security log information; and generate a joint defensepolicy according to the joint security log information, and implementthe joint defense policy to perform intrusion event detection andintrusion event defense.

In one embodiment, a server is provided, and the internal structure ofthe server is shown in FIG. 6. The server includes a processor, anon-volatile storage medium, an internal memory, and a network interfacewhich are coupled via a system bus. The non-volatile storage medium ofthe server stores an operating system, a database and at least onecomputer executable instruction, which may be executed by the processor.The database is configured to store data, such as storing collectedbusiness traffic data and so on. The processor is configured to providecomputation and control capabilities to support the entire operation ofthe server. The internal memory of the server provides a cachedoperating environment for the operating system, the databases, and thecomputer executable instruction in the non-volatile storage medium. Thenetwork interface is configured to communicate with the security deviceover a network connection. A person skilled in the art should understandthat, the structure of the server shown in FIG. 6 is only a part of thestructure related to the solutions of the present application, whichdoes not constitute limitation to the server that the solutions of thepresent application apply to. Specific server can include more or lesscomponents than those shown in the drawing, or can combine somecomponents, or can have different component arrangement.

In one embodiment, a server is provided, and when the processor of theserver executes the computer executable instructions in the memory, theprocessor of the server specifically performs the following steps,including: obtaining security log information of a plurality of securitydevices, wherein the security log information includes intrusion eventinformation violating an own defense policy of the security deviceobtained by the security device in a network/system environment;

classifying and summarizing the intrusion event information included inthe security log information according to preset intrusion event types;obtaining a corresponding relationship between each preset intrusionevent type and a security device identification; and pushing theintrusion event information which is summarized according to theintrusion event types to the security device directed to by the securitydevice identification having a corresponding relationship, so that thesecurity device adjusts its own defense policy according to the pushedintrusion event information.

In one embodiment, the processor further performs a following step,including: converting a log format of the obtained security loginformation into a preset log format, wherein the preset log format is alog format that is identifiable by the plurality of the securitydevices.

In one embodiment, the security device includes a fuzzy detection deviceand an attack detection device, the fuzzy detection device is configuredto detect a fuzzy intrusion event, the attack detection device isconfigured to detect attack source information, and the detected fuzzyintrusion event is associated with an attack detection deviceidentification.

The processor further performs a following step, including: pushingfuzzy intrusion event information to the attack detection device, sothat the attack detection device generates an attack source jointdetection policy according to the fuzzy intrusion event information, andthe attack detection device detects the attack source informationaccording to the attack source joint detection policy.

In one embodiment, the security device further includes an attackdefense device, and the attack source information is associated with anattack defense device identification.

The processor further performs a following step, including: pushing theattack source information to the attack defense device, so that theattack defense device generates a joint defense policy according to theattack source information.

In one embodiment, a security device is provided, and the internalstructure of the security device is shown in FIG. 7. The security deviceincludes a processor, a non-volatile storage medium, an internal memory,and a network interface which are coupled via a system bus. Thenon-volatile storage medium of the security device stores an operatingsystem and at least one computer executable instruction, which may beexecuted by the processor. The processor is configured to providecomputation and control capabilities to support the entire operation ofthe security device.

The internal memory of the security device provides a cached operatingenvironment for the operating system and the computer executableinstruction in the non-volatile storage medium. The network interface isconfigured to communicate with the server shown in FIG. 6 over a networkconnection. A person skilled in the art should understand that, thestructure of the server shown in FIG. 7 is only a part of the structurerelated to the solutions of the present application, which does notconstitute limitation to the server that the solutions of the presentapplication apply to. A particular server can include more or lesscomponents than those shown in the drawing, or can combine somecomponents, or can have different component arrangement.

In one embodiment, a security device is provided, and when the processorof the security device executes the computer executable instructions inthe memory, the processor of the security device specifically performsthe following steps, including: detecting network/system stateinformation and user behavior information in a network/systemenvironment according to an own defense policy to generate security loginformation; uploading the generated security log information to asecurity log sharing platform, wherein the security log sharing platformis configured to classify and summarize the uploaded security loginformation, to generate a plurality of event types of intrusion eventinformation, and to push the plurality of event types of intrusion eventinformation according to a preset rule; receiving at least one of theevent types of intrusion event information which is pushed by thesecurity log sharing platform; and generating a joint defense policy bytaking the received intrusion event information as clue information. Inone embodiment, the generating a joint defense policy by taking thereceived intrusion event information as clue information performed bythe processor includes: associating the security log informationgenerated by the security device itself with the received intrusionevent information to generate joint security log information; andgenerating a joint defense policy according to the joint security loginformation, and implementing the joint defense policy to performintrusion event detection and intrusion event defense.

Each of the above modules may be implemented in all or in part bysoftware, hardware, and combinations thereof. The network interface maybe an Ethernet card or a wireless network card. Each of the abovemodules may be embedded in or independent of the processor in the serverand the security device in a form of hardware, or may be stored in thememory in the server and the security device in a form of software,which is easy to be called by the processor to perform the operationcorresponding to each of the above modules. The processor can be acentral processing unit (CPU), a microprocessor, a single chipmicrocomputer, or the like.

In one embodiment, one or more non-volatile readable storage mediumstoring computer executable instructions is provided, and theinstructions, when executed by one or more processors, cause the one ormore processors to perform all or part of the processes of the methodsof the above embodiments. The above computer executable instructions arecomputer executable instructions corresponding to computer programsimplemented by all or part of the processes of the methods in thevarious embodiments described above.

A person skilled in the art should understand that the processes of themethods in the above embodiments can be, in all or in part, implementedby computer executable instructions instructing related hardware. Theprogram can be stored in a computer readable storage medium, forexample, in the embodiment of the present application, the program canbe stored in a non-volatile readable storage medium of the computersystem and executed by at least one processor of the computer system toimplement the processes of the embodiments including the above methods.The non-volatile readable storage medium may be a magnetic disk, anoptical disk, and a read-only memory (ROM) and the like.

The technical features of the above embodiments may be combinedarbitrarily. To simplify the description, all the possible combinationsof the technical features in the above embodiments are not described.However, all of the combinations of these technical features should beconsidered as within the scope of the description, as long as thesecombinations of the technical features have no collision with eachother.

The above embodiments merely represent several embodiments of thepresent application, and the description thereof is specific anddetailed, but it should not be interpreted as limiting the scope of theinvention. It should be noted that, for a person skilled in the art,several variations and improvements may be made without departing fromthe concept of the present application, and these are all within theprotection scope of the present application. Therefore, the protectionscope of the present application shall be subject to the appendedclaims.

1. A method for network security joint defense, the method comprising:obtaining security log information of a plurality of security devices,wherein the security log information includes intrusion eventinformation violating an own defense policy of the security deviceobtained by the security device in a network/system environment;classifying and summarizing the intrusion event information included inthe security log information according to preset intrusion event types;obtaining a corresponding relationship between each of the presetintrusion event types and a security device identification; and pushingthe intrusion event information which is summarized according to theintrusion event types to the security device directed to by the securitydevice identification having a corresponding relationship, so that thesecurity device adjusts the own defense policy thereof according to thepushed intrusion event information.
 2. The method according to claim 1,wherein after obtaining security log information of a plurality ofsecurity devices, the method further comprises: converting log formatsof the multiple obtained security log information into a preset logformat, wherein the preset log format is a log format that isidentifiable by the plurality of the security devices.
 3. The methodaccording to claim 1, wherein the security device comprises a fuzzydetection device and an attack detection device, the fuzzy detectiondevice is configured to detect a fuzzy intrusion event, the attackdetection device is configured to detect attack source information, andthe detected fuzzy intrusion event is associated with an attackdetection device identification; the pushing the intrusion eventinformation which is summarized according to the intrusion event typesto the security device directed to by the security device identificationhaving a corresponding relationship, so that the security devicesadjusts the own defense policy thereof according to the pushed intrusionevent information further comprises: pushing fuzzy intrusion eventinformation to the attack detection device, so that the attack detectiondevice generates an attack source joint detection policy according tothe fuzzy intrusion event information, and the attack detection devicedetects the attack source information according to the attack sourcejoint detection policy.
 4. The method according to claim 3, wherein thesecurity device further comprises an attack defense device, and theattack source information is associated with an attack defense deviceidentification; the pushing the intrusion event information which issummarized according to the intrusion event types to the security devicedirected to by the security device identification having a correspondingrelationship, so that the security devices adjusts the own defensepolicy thereof according to the pushed intrusion event informationfurther comprises: pushing the attack source information to the attackdefense device, so that the attack defense device generates a jointdefense policy according to the attack source information.
 5. A methodfor network security joint defense, the method comprising: detectingnetwork/system state information and user behavior information in anetwork/system environment according to an own defense policy togenerate security log information; uploading the generated security loginformation to a security log sharing platform, wherein the security logsharing platform is configured to classify and summarize the uploadedsecurity log information, to generate a plurality of event types ofintrusion event information, and to push the plurality of event types ofintrusion event information according to a preset rule; receiving atleast one of the event types of intrusion event information which ispushed by the security log sharing platform; and generating a jointdefense policy by taking the received intrusion event information asclue information.
 6. The method according to claim 5, wherein thegenerating a joint defense policy by taking the received intrusion eventinformation as clue information comprises: associating the security loginformation generated by a security device itself with the receivedintrusion event information to generate joint security log information;and generating a joint defense policy according to the joint securitylog information, and implementing the joint defense policy to performintrusion event detection and intrusion event defense. 7-12. (canceled)13. A server, comprising: a memory; and a processor, wherein the memorystores computer executable instructions, which, when executed by theprocessor, cause the processor to perform following steps, comprising:obtaining security log information of a plurality of security devices,wherein the security log information includes intrusion eventinformation violating an own defense policy of the security deviceobtained by the security device in a network/system environment;classifying and summarizing the intrusion event information included inthe security log information according to preset intrusion event types;obtaining a corresponding relationship between each of the presetintrusion event types and a security device identification; and pushingthe intrusion event information which is summarized according to theintrusion event types to the security device directed to by the securitydevice identification having a corresponding relationship, so that thesecurity device adjusts the own defense policy thereof according to thepushed intrusion event information.
 14. The server according to claim13, wherein the processor further performs a following step, comprising:converting log formats of the multiple obtained security log informationinto a preset log format, wherein the preset log format is a log formatthat is identifiable by the plurality of the security devices.
 15. Theserver according to claim 13, wherein the security device comprises afuzzy detection device and an attack detection device, the fuzzydetection device is configured to detect a fuzzy intrusion event, theattack detection device is configured to detect attack sourceinformation, and the detected fuzzy intrusion event is associated withan attack detection device identification; the processor furtherperforms a following step, comprising: pushing fuzzy intrusion eventinformation to the attack detection device, so that the attack detectiondevice generates an attack source joint detection policy according tothe fuzzy intrusion event information, and the attack detection devicedetects the attack source information according to the attack sourcejoint detection policy.
 16. The server according to claim 15, whereinthe security device further comprises an attack defense device, and theattack source information is associated with an attack defense deviceidentification; the processor further performs a following step,comprising: pushing the attack source information to the attack defensedevice, so that the attack defense device generates a joint defensepolicy according to the attack source information. 17-22. (canceled) 23.The method according to claim 2, wherein the security device comprises afuzzy detection device and an attack detection device, the fuzzydetection device is configured to detect a fuzzy intrusion event, theattack detection device is configured to detect attack sourceinformation, and the detected fuzzy intrusion event is associated withan attack detection device identification; the pushing the intrusionevent information which is summarized according to the intrusion eventtypes to the security device directed to by the security deviceidentification having a corresponding relationship, so that the securitydevices adjusts the own defense policy thereof according to the pushedintrusion event information further comprises: pushing fuzzy intrusionevent information to the attack detection device, so that the attackdetection device generates an attack source joint detection policyaccording to the fuzzy intrusion event information, and the attackdetection device detects the attack source information according to theattack source joint detection policy.
 24. The method according to claim23, wherein the security device further comprises an attack defensedevice, and the attack source information is associated with an attackdefense device identification; the pushing the intrusion eventinformation which is summarized according to the intrusion event typesto the security device directed to by the security device identificationhaving a corresponding relationship, so that the security devicesadjusts the own defense policy thereof according to the pushed intrusionevent information further comprises: pushing the attack sourceinformation to the attack defense device, so that the attack defensedevice generates a joint defense policy according to the attack sourceinformation.
 25. The server according to claim 14, wherein the securitydevice comprises a fuzzy detection device and an attack detectiondevice, the fuzzy detection device is configured to detect a fuzzyintrusion event, the attack detection device is configured to detectattack source information, and the detected fuzzy intrusion event isassociated with an attack detection device identification; the processorfurther performs a following step, comprising: pushing fuzzy intrusionevent information to the attack detection device, so that the attackdetection device generates an attack source joint detection policyaccording to the fuzzy intrusion event information, and the attackdetection device detects the attack source information according to theattack source joint detection policy.
 26. The server according to claim25, wherein the security device further comprises an attack defensedevice, and the attack source information is associated with an attackdefense device identification; the processor further performs afollowing step, comprising: pushing the attack source information to theattack defense device, so that the attack defense device generates ajoint defense policy according to the attack source information.